#4 Securely connecting IoT to MS Azure

Secure IoT connectivity to Microsoft Azure

Recipe: Configure secure end-to-end IoT cellular connectivity with MS Azure cloud

Ingredients: MS Azure account, iSimplyConnect Network Connector, iSimplyConnect SIMs

Get Cooking:

The recipe steps through the creation of a Windows OS Server virtual machine (VM) and the configurations necessary for the Azure Network Security Group, to enable seamless connectivity to iSimplyConnect enabled IoT endpoints.

Steps to deploying an Azure based Windows Server VM

  1. Log into your account on the Azure portal
  2. From the resources menu, select compute and select resource to be a Windows OS based VM eg. Windows Server 2012
  3. After selecting Create, follow the VM creation steps:
    1. Enter the basic settings e.g name, disk type, resource groups
    2. To minimize latency select the Azure location that is relevant to your SIMs region
  4. It will take a few moments for the VM to spin up (click on the images below to zoom)

1. From the resources dashboard in MS Azure, select add “+”, in the new column select compute

Azure_addcompute

2. Follow the instructions and configure the virtual machine resources in MS Azure

VMsetup

3. Check that the VM is operational, simply select “Connect” to establish a RDP session

AzureVM_rdp

Configuring the Azure Network Security Group (NSG)

  1. While logged into the Azure portal, browse to the NSG via the resources tab
  2. Navigate to the network security group assigned to the VM
  3. In the Outbound rules, add a rule to enable secure HTTP (HTTPS > port 443)

Configuring the Asavie Network Connector

Connect to the windows server using RDP (remote desktop protocol). Once connected open a browser on the server and log into your iSimplyConnect account (https://iot.isimplyconnect.com/login).

 

In the iSimplyConnect portal, select the Network Settings tab and either add a new Network Connector using the “+” symbol, or select install from the drop down menu on the Actions column.

Browse to the downloaded file on the Azure VM and double click to install the Network Connector, note don’t forget to have your activation code for the Network Connector close to hand.

1 – In the downloads folder of the Windows Instance you will see an Asavie supplied application

The  application (agent_3.x.x.abcd_isimplyconnect_en-us_x64.msi) will install, activate and connect your instance to the Asavie PassBridge™ network.

2 – The installer will prompt you for an activation code, which is available through the iSimplyConnect portal.

Note: The activation code, can be retrieved by logging into your iSimplyConnect account.

3 – Job done! The network connector now securely connects the cloud mile to the network broker from Asavie

iSimplyConnect Network Connector

Once installed and running the Network Connector virtual private connectivity client will show in the application window “Network Connector status” as connected.

Occasionally, on Windows Server 2012 the Network Connector application will show the Tunnel as Down. To correct this simply browse to the Network Connections adapter properties i.e. Control Panel > Network and Internet > Network Connections. Right click on the Asavie Virtual Network Adapter and View Properties.

Simply close the adapter windows properties, then select restart from the Network Connector parameters as shown in the image to the right. On restart, the Windows OS assigns the correct properties to the virtual private agent.

In the iSimplyConnect portal you will see the status for the Network Connector as “on” and an enabled radio check button beside it.

Configuring the Azure Windows Server VM firewall rules

The Windows Server VM will have its own set of firewall rules, it may be necessary to allow application traffic such as MQTT in on port 1883. Simply open the “Windows Firewall with Advanced Security” service.

Add a new rule for inbound connections on port 1883.

See https://technet.microsoft.com/en-us/library/cc753558(v=ws.11).aspx for more information on firewall configurations.

IoT Edge gateway configuration

Note the iSimplyConnect SIM card details (viewable on the credit card holder), insert the SIM into the IoT edge cellular gateway and power on. Log into your iSimplyConnect account and select the “SIM Cards” tab. Double right click on the SIM card entry and in the new window set the SIM status as Test or Live. This will enable the application traffic to flow.

Multi-interface IoT gateways
If the gateway has multiple interfaces e.g. LAN/Wi-Fi/Cellular, it may be necessary to add a route to the gateway. To do this you will need to know the cellular assigned IP address, in order to route the data correctly through to the target application service.

1 – Open the cellular modem application on the IoT edge gateway, note the IP address assigned by the carrier to the cellular interface.

Alternatively using the command line interface on the gateway type “ipconfig” for windows or “ifconfig” for Linux OS.

2 – Log into your Azure portal and note the local IP address of the VM you wish to send the data to.

3 – On the IoT edge gateway open a command line prompt. Add the route for the Azure VM local IP address to go via the cellular IP address

Windows OS: route add <target_CloudVirtualNetwork_IP mask <255.x.x.x> <LocalMachine_IP> -p

Linux OS: ip route add <target_CloudVirtualNetwork_IP/xx> dev <Interface_ID>